Nodogsplash Versions Save

Nodogsplash offers a simple way to provide restricted access to an Internet connection using a captive portal. Pull requests are welcome!

v5.0.2

7 months ago

This is a bugfix release.

  • Fix crash if query string is too long.

v3.2.1

7 months ago

This release has the following fixes and enhancements:

  • reset upload/download counter when a client has been authenticated a second time [mwarning]
  • print session duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
  • rework html templater to speed up splash page generation [mwarning]
  • FAS documentation updates [bluewavenet]
  • Add CSS file and update splash and status html [bluewavenet]

v5.0.1

9 months ago

This is meant as a bugfix release for CVE-2023-39120

  • fix path traversal security issue
  • add session_limit_block feature The session_limit_block is similiar to session_timeout_block, but instead of limiting the time, it limits the traffic. The session_limit_block allows to limit a user to a certain amount of traffic before the user will be blocked from applying again.
  • add session_timeout_block feature The session_timeout_block config allows end and block a session after a certain timeout. E.g. allows to limit a user to have internet connectivity for 20 minutes and not allowing to apply again.
  • Introduce variable gw_http_name/port gw_http_name holds the http hostname and port in the correct representation to work with it. Saves sprintf calls for every connection.

v5.0.0

3 years ago

Version 5.0.0 has been forked from 3.3.2 in order to remove the FAS in a clean way. All patches from 4.5.1 has been backported.

  • Remove the FAS (forward authentication service)
  • ndsctl status: show Session Timeout
  • debian: use native format
  • common.h: increase QUERYMAXLEN to 4k
  • ndsctl_auth(): ensure client->id does not change between search and modify
  • fw_iptables: fix a deadlock in case when popen() fails
  • ndsctl status: use format_duration for Preauth/Auth Idle Timeout
  • libmicrohttpd: sanitize the path before parsing it

v4.5.1

4 years ago

Security release

  • Fix a path traversal attack

v4.5.0

4 years ago

This release adds significant new functionality yet is compatible with the previous version.

The most significant is the addition of support for https remote FAS. This is enabled using the configuration option to set fas_secure_enabled to level 3. The remote FAS will typically be situated on the Internet and have valid ssl certificates.

There are numerous other additions and fixes including documentation updates.

From the changelog:

  • Add - Enable https protocol for remote FAS [bluewavenet]
  • Add - trusted devices list to ndsctl json output [bluewavenet]
  • Add - option unescape_callback_enabled [bluewavenet]
  • Add - get_client_token library utility [bluewavenet]
  • Add - utf-8 to PreAuth header [bluewavenet]
  • Add - PreAuth Support for hashed id (hid) if sent by NDS [bluewavenet]
  • Add - library script shebang warning for systems not running Busybox [bluewavenet]
  • Add - htmlentityencode function, encode gatewayname in templated splash page [bluewavenet]
  • Add - htmlentity encode gatewayname on login page (PreAuth) [bluewavenet]
  • Add - Simple customisation of log file location for PreAuth and BinAuth [bluewavenet]
  • Add - option use_outdated_mhd [bluewavenet]
  • Add - url-encode and htmlentity-encode gatewayname on startup [bluewavenet]
  • Add - Allow special characters in username (PreAuth) [bluewavenet]
  • Add - Documentation updates [bluewavenet]
  • Add - Various style and cosmetic updates [bluewavenet]
  • Fix - Change library script shebang to bash in Debian [bluewavenet]
  • Fix - Remove unnecessary characters causing script execution failure in Debian [bluewavenet]
  • Fix - Add missing NULL parameter in MHD_OPTION_UNESCAPE_CALLBACK [skra72] [bluewavenet]
  • Fix - Script failures running on Openwrt 19.07.0 [bluewavenet]
  • Fix - Preauth, status=authenticated [bluewavenet]
  • Fix - Prevent ndsctl from running if called from a Binauth script. [bluewavenet]
  • Fix - Minor changes in Library scripts for better portability [bluewavenet]
  • Fix - Prevent php notices on pedantic php servers [bluewavenet]
  • Fix - broken remote image retrieval (PreAuth) [bluewavenet]
  • Fix - Allow use of "#" in gatewayname [bluewavenet]

v4.4.0

4 years ago

Nodogsplash 4.4.0 release

This release adds significant new functionality yet is compatible with the previous version. The most significant is Client Network Zone detection. This allows FAS response to be dynamically tailored for each client depending on their connection to the network, mitigating the problems arising due to multiple instances of NDS not being supported on a single router. In addition to local "Zones", eg multiple wireless interfaces, this version also supports detection of remote 802.11s mesh gateways.

The second most significant addition of functionality is the implementation of an unescape callback for MHD that uses an unescape library script. The most obvious advantage of this is the removal of any restrictions on characters that can be used in user login form fields. Previously for example "+" and "&" could not be used. This was most noticeable in password fields. An additional advantage is that advanced developers are now able to tune the url-decode function provided by the unescape library script.

From the changelog:

  • Add Client Network Zone detection supporting local interfaces and 802.11s mesh [bluewavenet]
  • Add client zone and user agent to FAS/PreAuth logs [bluewavenet]
  • Add requirements for retrieving https remote image for login page [bluewavenet]
  • Add htmlentity encode and decode to preauth scripts [bluewavenet]
  • Implement unescape callback for MHD allowing url special characters to be used in login forms [bluewavenet]
  • Create get_client_interface library utility [bluewavenet]
  • Create unescape library utility [bluewavenet]
  • Update demo-preauth, login-option and fas scripts [bluewavenet]
  • Update fwhook restart - do not use ndsctl to check if nds is running [bluewavenet]
  • Update config files [bluewavenet]
  • Fix - allow comma space to be used in PreAuth variables [bluewavenet]
  • Fix - final redirect for fas-aes [bluewavenet]
  • Fix - ignore trusted mac if invalid [bluewavenet]
  • Documentation updates [bluewavenet]

v4.3.3

4 years ago

Nodogsplash 4.3.3 release

This version fixes two issues that can cause NDS to lock or crash, one, a coding error that leads to memory corruption and two, deadlocks in iptables and ndsctl. Both of these issues occur at high loads and/or at high CPD detection rates.

In addition, in some circumstances, a deauthenticated client running a vpn may have suffered from querystring truncation causing vpn failure.

Some minor updates are also included.

Extract from changelog:

  • Fix Memory corruption at high loads [bluewavenet]
  • Prevent iptables and ndsctl deadlocks [lynxis]
  • Prevent query string truncation for deauthenticated client when client is using some types of vpn software [bluewavenet]
  • Add debuglevel logging in the case of a firewall restart in OpenWrt [bluewavenet]
  • Return error 403(forbidden) when client attempts to use a forbidden http method [bluewavenet]

v4.3.2

4 years ago

nodogsplash: Version 4.3.2

This release Fixes a Debian package build error

This did not effect the OpenWrt package.

There are no other changes from v4.3.1

Signed-off-by: Rob White [email protected]

v4.3.1

4 years ago

Nodogsplash 4.3.1 release

This version provides the fix to an issue in Makefile, introduced in the previous version, that prevents the Debian package from being created.

This does not effect the OpenWrt package.

There are no other changes from v4.3.0

Signed-off-by: Rob White [email protected]